CVE-2009-1241: ClamAV RAR Parser Security Bypass

On 2 April 2009, security engineer Thierry Zoller disclosed this vulnerability which allows attackers bypass the ClamAV scanner since RAR unarchiver built-in in ClamAV wasn’t able to handle specific RAR files. Releases prior to 0.95 are vulnerable to this issue. The following code is from ClamAV 0.94.2 release which is the last vulnerable to that bug release, here is the vulnerable function:

This function is used to write (line 156) data of the provided pointer data (its second argument) to the unpack_data pointer which is the data to be unpacked. This can be found at libclamunrar/unrar.c file. If write() operation succeeds, then its CRC is being updated at line 158. This function is used directly on the user controlled RAR file. To have a better understanding of the above function here are a few members of the unpack_data_t structure as seen at libclamunrar/unrar.h:

The true_size is updated and the CRC is calculated, then a check is being perfomed at the maximum size and if this is not equal to zero and the written_size less than or equal to the maximum size it will immediately return. Else, if the maximum size is not zero but there is still space for writing data, another check is made to ensure that the written_size + size will not result in a number greater than the maximum size.
The final patch was at libclamav/scanners.c where function cli_scanrar() is located. The patch was simply to include the new features in the initial checks: